CVE-2025-10641 identifies a critical security flaw in EfficientLab's WorkExaminer Professional software, specifically versions up to 4.0.0.52001, where all network traffic between monitoring clients, the console, and the server is transmitted in plaintext. The monitoring clients send data to the server using unencrypted FTP on port 12304, while the console communicates with the server on port 12306 without encryption. This cleartext transmission allows attackers with network access to perform passive eavesdropping to capture sensitive information, including potentially confidential monitoring data, credentials, or configuration details. Furthermore, attackers can actively modify the data in transit, leading to integrity violations such as falsified monitoring reports or commands. The vulnerability is classified under CWE-319, which concerns the cleartext transmission of sensitive information. The CVSS v3.1 base score is 7.1 (high), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality impact with limited integrity impact and no availability impact. Although no public exploits are currently known, the ease of exploitation and the sensitive nature of the data involved make this a significant threat. The lack of encryption in FTP and console-server communications is a fundamental security oversight, exposing organizations to man-in-the-middle (MitM) attacks and data breaches. The vulnerability affects all deployments running the specified versions or earlier, emphasizing the need for immediate remediation.

For European organizations, this vulnerability poses a substantial risk to the confidentiality and integrity of sensitive monitoring data transmitted within corporate networks. Given the nature of WorkExaminer Professional as an employee monitoring tool, intercepted data could reveal private user activity, internal policies, or sensitive operational details, potentially violating GDPR and other data protection regulations. The ability to modify data in transit could lead to falsified monitoring results, undermining trust in the system and potentially enabling insider threats or fraud. Organizations in regulated industries such as finance, healthcare, and government are particularly vulnerable due to the sensitivity of monitored data and strict compliance requirements. The exposure of unencrypted FTP traffic and console communications increases the attack surface for lateral movement within networks, especially in environments where network segmentation is weak. The impact extends beyond data leakage to potential reputational damage, regulatory fines, and operational disruptions if attackers manipulate monitoring data to conceal malicious activities.

Immediate mitigation should focus on eliminating unencrypted communication channels. Organizations should configure WorkExaminer Professional to use secure alternatives such as SFTP or FTPS instead of plain FTP for client-server data transmission. If the product does not natively support encrypted protocols, network-level encryption via VPNs or TLS tunnels should be implemented to protect traffic on ports 12304 and 12306. Network segmentation and strict access controls should limit exposure of these ports to trusted hosts only. Monitoring network traffic for unusual activity or unauthorized modifications can help detect exploitation attempts. Organizations should engage with EfficientLab to obtain patches or updated versions that address this vulnerability and plan prompt upgrades. Additionally, reviewing and enhancing internal security policies around monitoring data handling and transmission is recommended. Employee training on recognizing potential signs of network interception and incident response readiness will further strengthen defenses.